4

We have an issue we’ve been struggling with for quite some time since we rolled out 10 Samba4 domain controllers at our main office and all remote sites about 3 years ago.

Simplified Current Configuration:

  • 2 DCs at main site with internal DNS using subdomain ad.companyname.com
  • 2 BIND CentOS servers serving all intranet DNS requests — main zone: companyname.com
  • 2 BIND CentOS servers serving all external site DNS requests — main zone: companyname.com

In this configuration, we have configured the internal BIND servers to have the S4 AD DCs internal DNS as authoritative for ad.companyname.com, so clients connected to the BIND servers can resolve anything Samba needs them to. This allows all client machines on the LAN to resolve any dynamic DNS address AD creates, join the domain, etc, and it’s easy to configure when provisioning new DCs. (This is important with so many DCs).

When we provision servers which are bound to the domain, clients access them via DNS entries configured on the main BIND DNS servers, so they have addresses like hostname.companyname.com, which clients use to connect to the servers/services. They also have ad.companyname.com hostnames created by S4 internal DNS, but we don’t point clients at those names.

The problem:

Some services (mostly OS X server that we’ve noticed so far) when bound to AD don’t seem to like having the clients pointed at a different DNS name than the samba subdomain. For example:

OS X 10.11 (also tried 10.6) Server, bound to AD, running SMB file server:

  • When connecting to fileserver.companyname.com
    • The user must authenticate as ad.companyname.com\shortname OR
    • The user must authenticate as shortname@ad.companyname.com
    • Using AD\shortname does not work
  • When connecting to fileserver.ad.companyname.com
    • The user can authenticate as just short name

Another example:

OS X Server 10.11, bound to AD, running Profile Manager:

  • Users can authenticate to the PHP web interface using just shortname
  • Users can’t authenticate during device enrollment on the iOS device with their AD credentials

Notes:

In the first example, one solution is to simply point the clients at fileserver.ad.companyname.com, but management is resistant to this idea. In the second example for the profile manager MDM, The server lives on the DMZ so that off-campus clients still connect to the MDM and it has both internal and external DNS entries, so having a public facing ad.companyname.com address is not a great option.

Questions:

  • Would setting up a WINS server help with this?
  • Would setting a default search domain from DHCP help with this?
  • Is there some way to have a Samba4 AD-Joined host have a domain name on the base domain (actually, not just a separate record on BIND pointing to the same IP)?
    • If so, is it possible to do this with the internal DNS?
  • Is there some way to integrate Samba4 AD DNS directly with my intranet BIND DNS setup so that domain-joined hosts get DNS names not the base DNS domain (companyname.com)?
Thomas Maerz
  • 41
  • 2
  • 1
    My instict was first to make an answer, that the behavior you mention (_the problem_, and _another example_, above) is exactly the way OSX is designed to work; for sure if OSX Server was doing the AD, it absolutely requires the hostname to match fqdn, and would get confused with the multiple dns at different hostnames. – bourneN5years Jun 26 '16 at 00:44
  • 1
    If you didn't see this [Apple post](https://support.apple.com/en-us/HT201885) already, this may answer your question, or really help out. Update us, and I'd enjoy formulating it as an answer, etc, or looking further if needed. – bourneN5years Jun 26 '16 at 00:45
  • So we ended up working around by starting over. Stopped using S4 and migrated to Server 2016 AD-DS. We conf'd AD from dom provisioning w/ FQDN root so that the subdom is no longer needed, and apple login issue is gone. One of the major reasons for the migration was licensing costs. It seems like you would save $ w/S4-AD but you are still required to purchase Windows Server CALs if you join any Windows Server machines or Windows workstations to your S4AD Domain due to indirect usage license requirements. W/S4-AD DCs, all you save is Win SRV licenses for the DCs, and you add a TON of bugs. – Thomas Maerz Jun 27 '18 at 17:51
  • @bourneN5years, Thanks for the response, sorry for the super late replies. What I was hoping for in an answer was someone who knew some hidden way to configure OS X SMB fileserver (or clients) to cut out the domain it's inserting based on the FQDN the user's accessing and insert a domain name I configure. This is the default behavior of non-domain joined windows workstations connecting to a domain fileserver with no specified domain as well as Linux Samba File Servers. FreeRADIUS server actually allows you to configure this however you'd like so you can strip ANY/ALL domains sent and replace. – Thomas Maerz Jun 27 '18 at 17:56

0 Answers0